Data Privacy in Job Recruitment

The online job-market business model involves building up a bank of CVs and matching those with possible job vacancies.  Unlike an old school recruitment agency there is no bank of real vacancies waiting for applicants.  The CV model will expose personal details to both real and potential employers; through jobs advertised directly to them, other on-line sources or simply spamming likely targets.  This can save a job applicant a deal of work as the steps of finding a vacancy, customising a CV and creating a targeted covering letter are much the same for any given category of job.  The process is somewhat less useful to an employer as it can lead to an increase in applications that all require further filtering before they can be considered in depth.

A good matching algorithm will sort and filter any possible matches and supply the best.  This will benefit the employer as there is less initial analysis required of applicants and establishes the CV provider as a reputable source.  Any such processing lies well within the GDPR legislation.  An ICO report from November 2024  has considered how well current AI based practices fit within the law.  Some core personal information needs to be collected to make a CV fit for purpose.  Sites that collect this data were found to be reasonably reliable in only collecting relevant information.  There could be a problem with AI being able to infer data that might prejudice an application.  This processing could occur either before or after a CV is presented to a job provider.  Some details are relatively easy to infer.  An application should not be prejudiced according to certain factors including as age, sex or ethnicity.  While this data is unlikely to be on a CV it will become apparent (although not necessarily correct) from the applicant’s name and history of previous employment.  By adding AI to the mixture more sophisticated and possibly unreliable conclusions could be drawn from the content and style of a CV allowing possibly prejudicial short-lists to be drawn up.

The ICO report also refers to the use of AI based tools to harvest information about applicants. Examples are anonymised but refer to screening and selection tools including games that are designed to assess an applicant’s suitability.  Such tools impinge on the GDPR principle of legitimate use for the responses provided by the applicant.  Procedures can be further ‘refined’ by comparing knowingly supplied data with related web and social media content to better profile the applicant with AI.  Again there are issues in that this additional data might be harvested without its creator’s consent and that any profile is not necessarily accurate.

Another issue lies with the storage of job application data.  The applicant will know that their CV is being stored by the collection engine.  The data retention policy of an example organisation ‘Jobseeker’  clearly explains the GDPR principles involved including the right to be forgotten.  It correctly points out that the CV data will be stored with potential employers. This throws a data retention problem because those employers will have differing rules on how long data is stored for.  Any applicant would have to reach out to each one individually and ask for their data to be forgotten.  The job provider will also face GDPR issues as they may want to keep CVs on hand for when a suitable vacancy arises.  The GDPR legislation (Principle ‘e’) is unclear on how long this might be for; simply stating ‘You must not keep personal data for longer than you need it’.

This can all work out where a legitimate job is filled by the right candidate.  The system falls apart when abused by ghost jobs. These are vacancies deliberately listed but that simply do not exist.  A June 2024 investigation by Resume Builder surveyed 1,641 USA based hiring managers and found that 40% of companies posted a fake job listing in the previous year. In 39% of cases applicants for these vacancies were subsequently contacted by the ‘employer’.   Many of the reasons given to advertise ghost jobs revolved around improving the company image.  This included making the company appear to be growing and receptive to external talent.  There was also the threat that it might make existing employees aware that they are replaceable.  Collecting applications on the basis that there might be a vacancy in the future would be a breach of GDPR.

More from Privacy

21/10/2024

Smart TVs – Getting Smarter At Watching You

Kindus has described how connected devices harvest personal data and how that can be misused or breached either by the hosting  body or others …

Read post

30/09/2024

The SPAM Bomb

The symptoms of a SPAM, email or subscription bomb attack are almost impossible to miss.  The victim will suddenly receive a very large volume …

Read post

16/09/2024

NHS Federated Data Platform Progress

Those with long memories will recall the time and money spent by the UK NHS in the early years of this century to build …

Read post

20/08/2024

Doxing

Doxing (or Doxxing) is the dropping of documents or information onto the Internet.  It is generally taken to mean the disclosing of information that …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories